Jump to content
weabow

Adressing IP with System.Net.HttpClient

Recommended Posts

Hi there,

 

I need to request my server using its IP, not a domain name. The problem is that an IP can't have a SSL certificate.

 

So I have an error about the need of a certificate with this code :


 

Quote

 

procedure TForm1.Button1Click(Sender: TObject);
var
  serveur: THTTPClient;
  serveur_reponse: IHTTPResponse;
  post_param: TMultiPartFormData;

begin
  serveur := THTTPClient.Create;
  post_param := TMultiPartFormData.Create;

  serveur_reponse := serveur.post('https://123.123.123.123/index.php', post_param);
 

  if serveur_reponse.StatusCode = 200 then
    showmessage(serveur_reponse.ContentAsString(tencoding.UTF8))
  else
    showmessage(serveur_reponse.StatusCode.ToString);

  freeandnil(post_param);
  freeandnil(serveur);

end;

 

 

Tghis code runs fine with a classic URL, but not with the IP.

 

How can I use THTTPClient and say it not to check certificates ?

 

Share this post


Link to post

have you tried "serveur_reponse := serveur.post('http://123.123.123.123/index.php', post_param)" ?

Share this post


Link to post

What is the error?

I guess you have in fact an https/TLS error: the certificate is for the domain name, and you use the IP which doesn't match the certificate.
So the request is rejected.
Try to relax the HTTPS certification validation.

Share this post


Link to post

Yes it's exactly that. But how can I do, then, to address my server with its IP ????

 

What do you mean with : Try to relax the HTTPS certification validation.

Share this post


Link to post
Guest
Posted (edited)

@weabow 

 

the Indy suite is @Remy Lebeau area, then, he can help for sure. find it here on forum members. 

Note: same that THTTPclient is not from Indy suite.

 

hug

Edited by Guest

Share this post


Link to post

In general, I could see this working if you connect the underlying TCP socket to the desired IP address, and then have the TLS handshake use the SNI extension to specify the desired domain name as the target for the certificate, and also have HTTP send a "Host" header specifying the same domain name.  But I don't know if/how this can be done with THTTPClient, though.  It is not doable with Indy's TIdHTTP (without hacking its source code) since everything uses the same hostname/IP specified in the URL.

Share this post


Link to post
Posted (edited)

Disable server verification. IDK how to do it with THTTPClient but you have the subject to search for.

With Windows secure sockets I done this

https://github.com/Fr0sT-Brutal/Delphi_SChannelTLS/

  // starting TLS handshake
  if sfNoServerVerify in SessionData.Flags then
    dwSSPIFlags := dwSSPIFlags or ISC_REQ_MANUAL_CRED_VALIDATION;
    
  ...
  
  // before starting TLS
  if FAddrIsIP then
  begin
      SChannelLog(loSslInfo, Format(S_Msg_AddrIsIP, [Addr]));
      Include(FSessionData.Flags, sfNoServerVerify);
  end;
    
  ...
  
  // after successful handshake
    // Don't pass host addr if it's IP otherwise verification would fail
    if FAddrIsIP then
        CheckServerCert(FhContext, '')
    else
        CheckServerCert(FhContext, Addr);

In cURL this option is called "insecure"

       -k, --insecure
              (TLS) By default, every SSL connection curl makes is verified to
              be secure. This option allows curl to proceed and  operate  even
              for server connections otherwise considered insecure.

              The  server  connection  is verified by making sure the server's
              certificate contains the right name  and  verifies  successfully
              using the cert store.

              See this online resource for further details:
               https://curl.haxx.se/docs/sslcerts.html
              See also --proxy-insecure and --cacert.

 

Edited by Fr0sT.Brutal

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×